87a3dd83d974ac74a1583ee3031f951c1366790086c8cd06cf8f286338751cf9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZaiPrivateRUNASADMIN.exe
Size

17.9MB
MD5

09fa5a70bedf0d34780c924a3bd49c1f
SHA1

ad8440457662d1ea99b89ab46c41ad01f9b13943
SHA256

87a3dd83d974ac74a1583ee3031f951c1366790086c8cd06cf8f286338751cf9
SHA512

0257dd13d9b944b1c740f52e6773b0b45078b861e69e2711b6173c75bb09fa4f5b82f51fc5efc619da453d58b059ea19829ecae8a29b3907fa5db83811e54b3b
SSDEEP

393216:POqPnLFXlrQQ+DOETgsvfGxgfyvEhABdKZW0q:bPLFXNQQ/Eq+L2/K0

Score

7^/10

defense_evasion privilege_escalation upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2008	ZaiPrivateRUNASADMIN.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c889-112.dat	upx
behavioral1/memory/2008-114-0x000007FEF5B60000-0x000007FEF5FCE000-memory.dmp	upx

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2008	ZaiPrivateRUNASADMIN.exe
1764	ZaiPrivateRUNASADMIN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2008	1764	ZaiPrivateRUNASADMIN.exe	31
PID 1764 wrote to memory of 2008	1764	ZaiPrivateRUNASADMIN.exe	31
PID 1764 wrote to memory of 2008	1764	ZaiPrivateRUNASADMIN.exe	31

C:\Users\Admin\AppData\Local\Temp\ZaiPrivateRUNASADMIN.exe
"C:\Users\Admin\AppData\Local\Temp\ZaiPrivateRUNASADMIN.exe"
1⤵
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\ZaiPrivateRUNASADMIN.exe
  "C:\Users\Admin\AppData\Local\Temp\ZaiPrivateRUNASADMIN.exe"
  2⤵
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17642\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
memory/2008-114-0x000007FEF5B60000-0x000007FEF5FCE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads